Skip to main content

tv   C-SPAN2 Weekend  CSPAN  June 2, 2012 7:00am-8:00am EDT

7:00 am
potential weakness. three share threat vulnerability information with all members so they can protect themselves. one of the tenets with a long time ago to help all the institutions. >> thank you. mr. graff. >> a couple points quickly. one thing that would move us towards the situation you would like to see in terms of preparedness is more cooperation from computer manufacturers and software vendors and producing products that are easier to secure and i say that to someone who used to work for a software manufacturer years ago. there are a lot of issues that are not a problem. if we make the assistance with your vulnerability is then the smaller banks and financial institutions would be replaced. i also want to point out quickly in addition to information sharing which is paramount we don't have time for a lengthy
7:01 am
discussion but the supply chain problem, the threats of supply chain attack are really perhaps not the most serious issue that faces us and one that would be most susceptible to help from government. i have been working in the government sector for a long time and it is one where u.s. government could make the biggest decision. >> that is very helpful. i yield back. >> thank you, mr. chairman. thank you all for being here. i have a couple questions i hope i can get in. first of all, maybe this cantley did address this little bit, but i have a constituent that called several years ago and she had her home business and she kept getting into it and kept trying
7:02 am
to find software, she put software in, and cost-effective measures that small businesses hoodoo personal transactions, and the smart phone. >> customers here using laptops and workstations, and industry to these customers, a user dedicated computer, we did not use for surfing the internet or checking e-mail. this is a cheap insurance way for insuring online until as mr. graff pointed out the industry
7:03 am
can get to the point where some of the software in both supply chain is more robust but also i would like to commend companies like microsoft who have stepped up to the plate and are now producing software that can remediator millions and millions of customers that are infected. to the second part of your question, smart phones and other mobile devices are an emerging risk and everyone at this table is listening to what is happening in other parts of the world and making sure we are analyzing those threats and putting up for prius remediation in place. also working on the education front to let people know of the risk there. the guidance we have does not mention local -- mobile phones it is applicable to that technology so again, no more
7:04 am
regulation or guidance is needed. we have what will work today and as the threats change, we will get additional guidance. >> are any of you familiar with chicago first? something that was founded in 2003 by chicago area of financial organizations and enhance the resilience of the chicago financial community and critical infrastructure overall and they held a number of exercises for exploring the threat including cybersecurity threats and focusing on preparedness. mr clancy? >> we are very familiar with chicago first. they are what we call the regional coalition. in the coordinating council we partner with organizations like chicago first. in my institution we are not based in chicago but participate in a few of their exercises. it is one of are circles of
7:05 am
trust. >> thank you. i worry about government agencies adequately protecting proprietary information, voluntarily share security threat information. and members of the european union and the u.s. are in discussion about this particularly as it relates to banks or other financial firms including insurance. have any of you or your organization's been involved in these discussions with the u.s. and international regulatory standard setting bodies? i guess we will have to seek the answer to that later on. let me ask again about mr. cantley -- you -- how does a
7:06 am
small business entrepreneur go to get the information that they need? is there a place online that they can find out? >> many financial institutions have information on their web sites or health seminars for their customers. also the ssi stack through its account takeover task force has put together some joined bulletin's which we made available to our members. they can print those and give those to our customers and they include all the recommendations we have for consumers and businesses for operating safely in the operating space and stay safe online which is the web site that has a number of good recommendations. >> i yield back. >> mr. dold. >> i appreciate the time.
7:07 am
i will go to you first of i can and i appreciate and agree we don't want additional regulations. we are concerned about cyberthreat and trying to protect consumers as well. my question is what role should the government take in combating the attacks in private systems? >> the key role we are looking for from the financial services industry is information sharing on a timely basis. and reconnect upon it, and if the government as information to foreign actors, we would like to be made aware of it. >> what would be a time line that would be appropriate? >> as soon as they know about it
7:08 am
serve. >> i had mentioned before there are hundreds of thousands of institutions, and rain the doorbell. and somebody taking a crowbar to the side window. and you identify these threats coming in, different sophisticated levels. nasdaq to try to identify these. >> to become as much as possible, who the potential actors are and the most sophisticated attacks that are out there, we are interested in
7:09 am
the information sharing we talked about today. the information we try to clean ourselves with who is attacking various financial institutions, the best that the fbi can find out and what tools they are using. another approach is to try to build systems that can withstand to use your analogy the attack of the crowbar. we put a great deal of effort in to make sure that the critical systems are deeply isolated and completely inaccessible to anyone coming from the outside except very specific and very highly protected and regulated specialized channels for the use of exchanging trading information. one of the things we do is only allowed a narrow channel of communication in to the trading
7:10 am
systems that go through several barriers and inspect it and here is a point that may not be obvious. when you are talking about regulating information that flows through network there are two ways you can do it. one is to constrained where the information comes from. another way is to constrain what kind of information it comes through. to do that both ways we use several layers of firewall to put the information that flows in and flows out through smaller and smaller filters. another point i would like to make is the analysis of trying to protect inside our house, families, it is not necessary to understand the ways somebody
7:11 am
might get into the house. in many cases the defenses we build are proof against many attacks. we tried to build strong defenses to defense successfully against unanticipated attacks. >> from each of your perspective sir, as we look at things we're looking at in the committee, would you trying to deal with right now and how do we in the financial services committee held try to draft legislation or highlight issues out there today. in terms of cybersecurity. >> essentially going after the bad guys and to pressure foreign
7:12 am
governments. they want to participate in the global economy, they need to demonstrate they enacted favorable cybersecurity legislation, and people responsible for these cybercrimes. and the advanced malware are we see, and customer computers and mention this well day. >> my time is expired. i yield back. >> thank you, mr. chairman. appreciate the witnesses being here and sharing expertise with us. you talked earlier about education and how that can help. how can this problem be cured by
7:13 am
good computer hygiene and good habits with much more active defense? >> the internet ecosystem requires a lot of players to act to make the internet a safe place for financial commerce and good computer hygiene, representative malone -- maloney mentioned business customers to are not even running anti virus software. that is critical. and the industry, telecommunications, and software manufacturers. >> they can't allow consumers,
7:14 am
anti virus software, malware, and institutions, and transactions. >> that particular step to do that, agents and an institution would play on customers' computer so some institutions may choose to go down that road. to make that decision. this goes back to the guidance which says look at layered security and to validate, do you think the customer is doing that transaction? is that in keeping with the customer's pattern of behavior? without necessarily looking at the wholesomeness of that
7:15 am
particular computer? >> how many institutions, miss cantley and others who want to answer how many companies use cyberinsurance to protect against liability. still in infancy. what folks out there used that? >> we get back to you, and second infancy, decade or so and had some issues, institutions are looking at it but look at a number of specific -- >> cyberinsurance can be a part
7:16 am
of creating essentials new requirements that we would pass but more dynamic model to shore risk-management his approach in a smart way, and new issues out there? >> i would answer that in the sense that it would be helpful to other sectors. and pay attention to cybersecurity issues, and underwriting improvements in the process. >> thank you. and cyberinsurance, does it allow you information about risks in a way that happens soon
7:17 am
enough or efficient enough or completely past but in its current form are there changes you would recommend to that bill? >> what i would say on this one, any improvements we make to the public, private information sharing happening today we have great examples of it. and take advantage of things like private sector clearance program and another one to help get access to more information from intelligence agencies. enhance information sharing in the private sector. and perceive real barriers from a legal perspective preventing information sharing from happening today. this legislation could address those issues as well and also
7:18 am
would like to see what is working well. talked a lot about -- avert a decade of trust and would like to see those continue to be leverage or placed in any additional hierarchy or essential clearinghouse above that. that could introduce more bureaucracy to it. >> my time is expired. >> thank you, mr. chairman. my subcommittee had a hearing a few months ago on this new interview created under dodd-frank to put clearing house for storing house for a lot of financial data. i was looking at our panelists today. many of you are going to be providing some information. mr clancy, what kinds of
7:19 am
connectivity and concerns we had and this question came out during our hearing. how secure is this data that the o f are is going to be mining from financial markets? can you elaborate on your discussions and whether you have concerns about their ability to protect that data? >> i am going to focus my comments on protection as opposed to disclosures made by 0 f r. it is part of treasury and fall under cybersecurity standards, that is the macro picture. we have got to work out ways to send information that protect the information in transit. the methods being used today are somewhat at hawk because of the new nests -- newness of the function and the need to look at risk performance perspective including other nations getting into that data and defending
7:20 am
that level of aggression. >> thank you, mr. graff. you put your finger on a central problem which is how do we share that information security and there are fairly sound methods i could talk about to protect in transit as a challenge but the technology issue there. the more intense concern might be protecting it once it arrived in federal networks to say to themselves very strong target. that is a concern of ours. always want to work with federal agencies to make sure the information we give them is sufficient but no more than they need and no more specific than they need and we like assurances about the way they protect those internal systems as well. that is an important problem.
7:21 am
it does encourage good security but i think there's room for improvement. >> mr. weiss. >> i am sorry. i am not familiar with that particular regulation. >> okay. i want to go back to mr. clancy. there are multiple aspects and one is the transmission of the data and secondly once the data give to o f are how would be protected and the third piece of it, market participants brought up, who will have access to that data moving forward and how they will be able to use that data and the access they are bringing. those are areas that you have concern about. >> access to the data itself is one of the key questions both in terms of the appropriateness of
7:22 am
what is done with the data and how it was exported as well as how you defend against it being misused. what we mentioned earlier in the panel is the celts were taken over. this happened to institutions and inside. access credentials were used illegal somebody else could potentially exploit the data that exists in those repositories. to that end expects high level of resilience to those attacks to be built into the design system, operation of the platforms used by ofr. >> we talked about financial services and small businesses and individuals on their computers at home or their laptops and a lot of discussion going on about using cloud top systems to store your sensitive
7:23 am
data rather than storing it on your hard drive. this is acquistion. in your professional opinion, is my data more secure in a remote location or more secure on my computer? >> a simple example, i have a neighbor who is ceo of intellectual property company. his i t group is two people. anything in the cloud is so offended he can do it himself. in my institution we have significant skill and expertise and particularly interesting target, our information is very hard to defend with basic level serve as than most of the cloud providers offer. >> for the average person their own home system is unlikely to be safe enough to give them the security they want. is good practice in general to store that information with people who professionally
7:24 am
trained to do it and one can transfer liability as well when they assume responsibility for the data. that is an important factor too. >> these providers have a much more robust infrastructure to protect your data than the individual at home. >> many of them would. >> thank the gentleman. >> thank you, chairman. mr manzullo. >> a couple questions, the distinctions that occur on these cyberattacks. and just make it on line. accessing 401(k) information. how broad does this get?
7:25 am
>> cyberattacks are are crossed our industry. they could be going against your checking account and addressed to your 401(k). if we have insurance companies report this so it is not just that particular isolation. >> the 401(k) is developed by a social security number. >> a lot of the providers use to do this practice and move away from it. some more aggressively than others. the underlying data base -- the authentication is based on other data selected by the customer. >> which means it is not covered? >> the overall account is protected but not using a security number --
7:26 am
>> the issue at one time you write a check taken to a bank and not worry about covering it for a couple days. it is all done electronically. and between banks. >> platforms -- the access to accounts that authorize those platforms to secure those actions have been targeted. >> what about social security that mandates social security checks have to be deposited or electronically into a person's checking account. we have a federal mandate. is that covered?
7:27 am
have there been instances the federal government has gone to transfer a social security recipients monthly check into a checking account and the money has not showed up before it got into the actual counts? >> i am not aware of any instances in that. >> last year on my e-mail account, someone came in, statement that was trapped in britain and spend 1500 hours and actually got another member of congress who is a democrat who called to see if i was ok and it was very generous on his part but they took all of my addresses and went in and had to reconstruct that. is this what we are talki
7:28 am
about? or is this more intense? >> we have been talking about things of high-intensity. it is a somewhat common scam and what happens is the access to your e-mail account you are at a hotel and find it and took your password and what they're doing is a technique called social engineering. trying to create a context your fellow members of congress--and were sympathetic and take action to send money they would not otherwise have done and that is the underlying technique the bad guys are using the riving behavior based on provocative messages. >> my colleagues would like me to stare in britain to get on it. the broader issue is senator rubin said he does not think outline. maybe this would be a revival --
7:29 am
we don't think -- i don't think i am on it because i have always been sort of old-fashioned as far as putting that stamp on and get it out, but until you stopped by the office yesterday are always presumed commercial accounts -- you make a reference in here to accounts from members of congress and their campaign fund. how pervasive is this? should the american people look at whether it is worth banking online? >> that is the threat that my victims group is trying to head off. cyberspace will become such an unsafe neighborhood that
7:30 am
americans will just decide make an urbane, and. individuals and businesses can't possibly have the cybersecurity expertise to secure online banking on their end. i further submit to you that you make community bankers in your district become a cybersecurity experts and spend time studying bulletin's instead of making loans to move our economy forward the bad guys have won even if they don't make off with a dime. so your money is currently not safe at the bank except a small number of very large banks eager improbably mr. weiss's for example that allow multi layered fraud control and brilliant
7:31 am
people monitoring them. otherwise whether you are randomly targeted like your yahoo! account was. the same people got the yahoo! account could get commercial accounts that your banking from that pc and get to your money. i do like the idea of buying a new pc to do online banking as a stimulus measure. as that $600 tax on our small organizations for thea $600 tax organizations for the privilege of using online banking -- >> i would have sent you money if i knew you were trapped. were you trapped again? >> i am not stuck in britain but this one says i have to share with you what people click on and someone selling a product out of their house.
7:32 am
this virus went through again and got back 15 or 20 people said you could have hacked in, i answered a friend's e-mail and said -- my answer to him was the virus myself. >> your first mistake, don't have friends. >> this doesn't hurt a politician. >> a couple questions for cantley. one was given to me by the chairman but i have a personal interest, let's see if i can phrase it the proper way. we often -- what we do is shut down the server but there is legacy software or software in the world sitting on computers and my understanding is we will have as creative souls that come in and set up a new hijacked --
7:33 am
how much is that mechanic because of the residency on computers around the world also a threat? >> that is a very large threat and if you would allow me to they fer to mr. weidefer to mr. has been active it is >> and my freezing it properly? >> just to address one of the initiatives we recently had with in the financial service sector we thought was a proactive thing to do on behalf of our customers to protect themselves was a partnership with others from the financial-services sector partering with microsoft to go after three of the dangerous ones that were responsible for many takeovers we had in the industry. >> one point of reference. when we say go after that,
7:34 am
>> this was the server action to go after the command and control infrastructure. >> the nature of my question is residency on individual computers and systems. >> what we normally find is when we talk about these e-mails people are clicking on when you click on what we get infected with these various -- more than likely that is not the only thing you have been infected with. the thing we took advantage of with this takedown project with microsoft was now that we have command and control infrastructure seized from criminals those computers are now phoning home or going back to the good guys. so instead of being under the control of the bad guys at this point -- >> you get a redirect. >> exactly. the long-term hope as we continue to collect forensic
7:35 am
evidence week at one point will be able to clean those machines and get them back under control of their owners. >> the chairman wanted me to ask and i will start -- quickly tell me if you are going to do one thing what would it be? >> from my particular crime we are blessed that it is easy to stop the solutions that are in place so move the responsibility as miss cantley spoke about to the processors and working with processors with guidance. my number one is actually we have got to stop malware. if we look at all these attacks from the pentagon on small-businesses and everybody, at the root of the attack is the fact that computers will run software that other people wrote who are not your friend and
7:36 am
haven't figured out the product that stopped working over five years ago we haven't gotten the working again. we can't detect the latest models malware. >> because of the threats of malware. we have to keep the ball rolling on the information sharing initiative that we have in place today with the existing legislation recently passed. to give you an example, in 2000 the 11, the third of the eighteen to maintain a regular presence and from that point going forward the ability on a daily basis to share threats vulnerability information between sectors, partners of government and made great strides in improving the relationship between the financial service sector and government partners. >> the threat sharing.
7:37 am
>> threat analysis. more could come from other sectors but taking that data and analyzing it to know when you have the incidents that really matters or more importantly when you see the trend that is coming out that you know you need to act sooner rather than later. >> threat analytics. >> i take a slightly different approach. i am concerned to reiterate the flight change problem that is to say the possibility that computer manufacturers or other nations states may be able to introduce pieces of hardware or software into computer routers, network servers and even network cables to be able -- in a way that individual companies -- there are methods inside the federal government in the intelligence factor working on this problem and we could get
7:38 am
those -- >> physical barriers. >> it is a problem in hardware and software but a significant problem is hardware coming out of something that appears to be a router but has specialized chips in it. >> forgive me for going so over time. >> take the program mentioned and french analysis and make sure it continues. >> engage the telecommunications industry. >> we have another definition. >> our telecommunications industry because of the fact they pass this traffic between us, our customers and other sectors are in a situation in our infrastructure where they see this traffic and if they were given the authority to dumped it that would get rid of
7:39 am
a lot. >> the gentlewoman from new york. >> thank you to all the panelists. last year the sec came out with guidance that financial firms had to disclose the cost of materials cyberattacks including a description of relevant insurance coverage to shareholders and how common is the use of fiberinsurance by financial institutions. do they have this insurance now? can someone answer? how common is this? >> not very common. in my institution who would venture me against all that money for transactions. >> what factors are considered in determining whether or not an institution has cyberrisk? >> the same factors that are
7:40 am
used that are part of all the other guidelines that we have are used to evaluate cyberrisk and going through that application process. >> there have been reports about pumping it up. i would like to ask those of you in the private sector what steps the private-sector has taken or federal regulators to prevent so-called pump and dump? these scams where thieves that tried to move the market by running of the price of security for buy and sell orders and the counts they have taken over? our common is this practice? are have read that in the paper that common is very uncommon. >> i don't have a sense of frequency. it happened the night that there has been a group called the national cyberfriends training line in pittsburgh, pennsylvania which is a collaboration of private-sector entities and law-enforcement partners where
7:41 am
information to those types of crimes are act upon in law enforcement and potentially referencing back activity being worked through. >> i would like to ask citi, mr. weiss, your great bank was the subject of a very high profile cyberattack in 2011. can you tell us what changes citi has made since then to protect your cybersecurity system? what is different now? >> i appreciate your referenced in may of 2011 impacted credit-card operation business and know personally identifiable information was disclosed as a result of that breached. we have had many lessons learned and invested many -- millions of dollars and people's time to improve monitoring and detection systems we have in place today to assure that breaches not
7:42 am
happen again. >> and would like to ask anyone familiar with their practices, supporting federal pre-emption of state laws related to breach disclosure and notification. what specific differences in state law those challenges for c cifma and why would you favor pre-emption? >> i will take a crack at that. the issue we have is being able to reconcile 50 different state laws and local regulations we have to deal with when it comes the notification and it is a time-consuming process to figure out which ones apply and what notification we have to supply and when and how much and consolidation to national breach notification standard we can rely on will eliminate that administrative overhead, that burden allows the turnaround in
7:43 am
notifications much more quickly and in the confusion customers are getting today when they receive multiple notifications and different formats and mediation standards. >> i would like to ask mr. woodhill, you made clear account takeovers continue to be a challenge at financial institutions and to what extent could regulatory changes address your concerns? is legislation -- or what actions are needed to address the problems that you perceive are there? >> if you read my bio you know i am not exactly a fan of regulation. in this particular case to stop this crime, it appears that a small -- reduce the net amount of regulation because it will take the guidance and make
7:44 am
community bankers study it but as ms. cantley said the new number responsibility -- a huge organization, a top security -- the banks had the necessary fraud control in place which paid for them to the processor was unaware of it. they are getting fraud alerts. they just didn't know to look at them and that bank spent $1 million of legal fees to defend the notion that they weren't responsible for transfers there getting these red alerts from their processor about. >> my time is expired. thank you. >> thank you. sharewoman biggert. >> thank you, mr. chairman.
7:45 am
following up on this little bit, miss cantley. there is a survey described in your written testimony, significant drop in commercial account takeovers between 2009-2010. what do you attribute this reduction? >> the answer may surprise you. you see the most recent survey, customer education was the most specific driver. >> any idea about current corporate account takeovers? >> it is specific to corporate
7:46 am
account takeover. >> mr. -- information sharing groups that you have, it seems there might be too many of these groups, each slightly different so that we might have a lot of information flowing back and forth. potentially the correct information may never get to the right place. is it possible -- should we be streamlining information sharing as we seek to improve this flow of information? >> i think the answer is probably on two levels. in terms of the initiative we take around best practices and improvements and resiliency i think we do work closely together across a number of organizations and associations we had and we try to make sure each of us is focusing on key areas and we are not wasting resources in terms of time and
7:47 am
effort. specific information sharing within our industry, we are doing a good job at the sharing centering information on the isack. when we think of sharing between sectors and sharing between public and private sector having standards that mr. weiss mentioned earlier in terms of how that data gets format it, how we look at it collectively will be important. i do think there is a risk that so much data will come in from so many different sources that we miss the answer in the analysis. >> thank you. a quick question. we have been talking so much about people have been hacking and or attacking. mr clancy, you said something about enforcement.
7:48 am
maybe this is beyond the scope but how many people get caught? what happens? what is the penalty and what happens? >> i don't have an answer on how many people were caught but a way to look at the problem is the attacks have been in a time scale of seconds, minutes and hours and law-enforcement happens in scales of months and years. the challenge we have is the difference between those two points. and focus on mitigation, stopping the event from expanding and preventing others from being similarly targeted. >> yield back. >> thank you, mr. chairman.
7:49 am
and deregulatiunder regulation get liability -- to protect small business from these. shift the liability to financial institutions. less interested from their protection. it does require them to notify which may be benefits the system. is that a good idea or bad idea? >> commercial and small-business customers are covered in every stage, that has stood the test of time in addressing this issue. >> what is the coverage amount?
7:50 am
>> standards need to be commercially reasonable. >> mr. weiss, anything else to add? >> looks like mr. woodhill. go-ahead. >> if i may. what commercially reasonable means as a matter of law has been the subject of lawsuits? two of them were settled for 1 hundred cents on the dollar just as soon as the bank saw what the judge had to say in denial of preliminary motion for preliminary finding for the defendant. one was actually won so far by the bank. one was actually won by the victim. the consensus at the big security conference this past
7:51 am
frank, the consensus among cyberlaw experts is given the new guidance, going forward, will be found currently to mean that the banks are liable. our victims' group has deep concerns about making small bankers liable for the risks that they can't really understand and can't really manage. we would like to see those risks and responsibilities moved to these big processor organizations. it is possible small banks would have to hold additional capital against the possibility that these large manned accounts might have to do a -- big transfers were fraudulent. not going back 90 days. this is too much for small business and too much for small
7:52 am
banks. >> thank you very much. i yield back. >> this will be the last question of the panel. i do appreciate your patience but this is an interesting area with lots and lots of layers. mr. manzullo. >> i brought a new computer a couple years ago and the store recommended x company software anti virus. for different amounts you got different coverage. is this stuff work? >> it works to a point. the challenge has been the attackers innovate and they run their attack software against the commercial products, not just the one you bought or everyone else buys and they make sure their attack code is resilience to detection. it is a cat and mouse game.
7:53 am
the date they create the software and sanded the commercial to you bought or the free to you find very often not. does it two weeks later? yes. very much they do but there's this window of time problem that is difficult to address and attackers continue to innovate. >> is worthwhile to buy some protection. >> you are better off with it than without it but it is not perfect. >> when my counts got hacked into last year and my address contact lists were stolen, i called a representative -- don't want to give the name of the company. a fairly responsible company and just wouldn't be fair to them publicly but the lady said because the information on the e-mail account was not stored in
7:54 am
my pc but somewhere -- the cloud or wherever else it was -- this anti spot where was unable to protect it. maybe you can explain to me when she tried to explain over the phone. >> essentially what happened most probably -- obviously i am just basing of on what you said, the sign in id was compromised and the bad guy log in from some other system and pretend that they were you to send out those e-mails or using a system to do that on their behalf as opposed to attacking your own personal laptop for computer you are using and because the credential is stolen it appeared to the male provider as you signing in with your password. so the client full on your pc didn't come in to play because it was external.
7:55 am
it would have potentially prevented the fact that the sign in to your e-mail account was taken in the first place if that actually occurred when using your computer and not something when you were traveling or another machine. >> the question is how did your log on id and password get compromised? malware watch you enter your user id password leaders will stole and transmitted it to the bad guys to use in that scam. there are other attack mode. you can recover user id passwords by knowing challenging questions that they research about you. there are other possibilities but almost always it is malware. >> the reason i asked the question is is it an option to cake and download what is in the cloud now directly on to your pc and would that make it more
7:56 am
secure? or open up everything else on the pc to that attack? >> it would make it less secure because the testimony among the experts is you can't secure -- two places it could be attacked, not just one. it could be physically stolen in a robbery of your house and the data would be on your hard disk. >> the final question is the deal goes on what the robotcalling that computers generate, a list of seven numbers and come of with a combination that it will ring. to people who do this take a look at somebody's pain and try to figure out different
7:57 am
combinations of that? how individual is this? or is it mostly on a broad based so that everybody gets hacked at one time? >> not correct because the school district has to act and had $340,000 and was their districts. >> i would say both. there are commodity attacks broadly targeted based on the e-mail list that was found and your name posted on website or what not and people trawling the internet looking for identity and targeted hacks are very convincing that are very personalized to the individual and you have sophisticated criminals doing those attacks and more basic farm team criminals doing more widespread things. >> yahoo! is my account. you really shouldn't have your
7:58 am
name on that address. would that be correct? such as jimwood@yahoo!.com? >> if you look at who lost money is random. your school district was randomly unlocking. every time banks sign someone up like your school district for online banking they get a kind of reverse lottery ticket that if their number is selected by criminals they lose $300,000 as crystal lake does. studies of the victim patterns doesn't matter if your name is included in that. just randomly unlucky to end up with malware and get their money stolen. those kinds of things -- criminals try everything. they try every attack every which way. you can't defend yourself. >> thank you. thank you to the panel.
7:59 am
this is interesting and i have a feeling we will be spending a lot more time on this subject over the next years to come. d. chairman notes that some members may have additional questions for this panel which they may wish to submit in writing. without objection -- i am always worried someone will walk in and object at that moment. the hearing will remain open for 30 days of members can submit written questions to the witnesses and place the responses in the record. i can almost assure you there were two or three members that had technical questions that will be coming to you. thank you for your participation. this hearing is closed. ..


info Stream Only

Uploaded by TV Archive on